Training

77% of the world’s revenue transactions are processed by an SAP application. Even knowing that, organizations still rely on traditional SAP security methods like Segregation of Duties to secure these critical applications. During this training you’ll have the opportunity to role play to understand both the attacker and the defender’s point of view.. First, we’ll put ourselves in the shoes of an attacker who wants to gain access to the most critical systems of any company, its SAP applications. You’ll learn about the types of weaknesses that could affect these systems, potentially going from no access to full access, discovering, assessing, attacking and exploiting them in an guided Capture the Flag style. In parallel, you’ll play the defender’s role, understanding key concepts and learning how to properly protect and secure these applications from the most common and emerging threats attackers are using.

Have you ever considered how critical SAP applications are for your organization? These applications are typically connected to many other systems and therefore could be exploited or attacked in a number of different ways. Traditionally, most of these applications are out of scope of regular penetration tests.
Have you ever wanted visibility into what’s stored in those complex systems that are so critical that no one wants to touch? Have you noticed SAP security patches are usually applied late and sometimes not at all? Do you want to illustrate the business risk of this to the organization? If so, this course is for you!
During this training we’ll do a deep dive into the “business-critical applications” world of a typical company. You’ll learn the basic concepts needed to understand and test a variety of attacks against these systems and how to secure them.
This course is designed to show you how an attacker could find, assess and exploit these systems. You’ll learn it in a hands-on way, playing the attacker’s role. Later, you’ll be in the defender’s trench, learning how to secure and protect the systems you previously exploited, in a guided Capture The Flag style activity. Additionally, this will include exercises and live demonstrations.
After completing this training, you will be well equipped to understand the critical risks your SAP platform may be facing and how to assess them. More importantly, you will know the best practices to effectively mitigate them, proactively protecting your business-critical platforms.

Prerequisites

General knowledge on Information Security

Basic knowledge on Networking

Previous SAP expertise is welcome but NOT required!

Requirements

Laptop with permissions to install software

SAPgui should be installed on the laptop

SSH client should be installed on the laptop (such as putty)

About the Speakers

Nahuel D. Sánchez

Nahuel D. Sánchez leads the Security Research Team at Onapsis. His work focuses on performing extensive research of SAP products and its components, identifying and reporting security vulnerabilities, attack vectors and advanced exploitation techniques that are applicable to different platforms. Nahuel is one of the most frequent reporter of vulnerabilities in SAP products and has published several “SAP Security In-Depth” documents. He has presented in several security conferences around the world and delivered SAP Security Training several times in both conferences and big companies. He previously worked as a security consultant, evaluating the security of Web applications and as a Penetration Tester in several worldwide projects. His areas of interest include Web security, Reverse Engineering, and Business-Critical Applications Security.

Pablo Artuso

Pablo Artuso is a Security Researcher at the Onapsis Research Labs. He is most of the time involved in projects of vulnerability research and penetration testing of SAP products, where he has helped to patch several bugs on its products. He is one of the responsible of delivering and keeping up to date SAP Security Training, and has also presented about SAP Security in other conferences around the world. In his spare time, he enjoys playing CTF’s which include web exploitation, reverse engineering and crypto challenges.